1 /*
2 * HTTP wrapper for libcurl
3 * Copyright (c) 2012-2014, Qualcomm Atheros, Inc.
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #include <curl/curl.h>
11 #ifdef EAP_TLS_OPENSSL
12 #include <openssl/ssl.h>
13 #include <openssl/asn1.h>
14 #include <openssl/asn1t.h>
15 #include <openssl/x509v3.h>
16
17 #ifdef SSL_set_tlsext_status_type
18 #ifndef OPENSSL_NO_TLSEXT
19 #define HAVE_OCSP
20 #include <openssl/err.h>
21 #include <openssl/ocsp.h>
22 #endif /* OPENSSL_NO_TLSEXT */
23 #endif /* SSL_set_tlsext_status_type */
24 #endif /* EAP_TLS_OPENSSL */
25
26 #include "common.h"
27 #include "xml-utils.h"
28 #include "http-utils.h"
29 #ifdef EAP_TLS_OPENSSL
30 #include "crypto/tls_openssl.h"
31 #endif /* EAP_TLS_OPENSSL */
32
33
34 #if OPENSSL_VERSION_NUMBER < 0x10100000L
ASN1_STRING_get0_data(const ASN1_STRING * x)35 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
36 {
37 return ASN1_STRING_data((ASN1_STRING *) x);
38 }
39 #endif /* OpenSSL < 1.1.0 */
40
41
42 struct http_ctx {
43 void *ctx;
44 struct xml_node_ctx *xml;
45 CURL *curl;
46 struct curl_slist *curl_hdr;
47 char *svc_address;
48 char *svc_ca_fname;
49 char *svc_username;
50 char *svc_password;
51 char *svc_client_cert;
52 char *svc_client_key;
53 char *curl_buf;
54 size_t curl_buf_len;
55
56 int (*cert_cb)(void *ctx, struct http_cert *cert);
57 void *cert_cb_ctx;
58
59 enum {
60 NO_OCSP, OPTIONAL_OCSP, MANDATORY_OCSP
61 } ocsp;
62 X509 *peer_cert;
63 X509 *peer_issuer;
64 X509 *peer_issuer_issuer;
65
66 const char *last_err;
67 const char *url;
68 };
69
70
clear_curl(struct http_ctx * ctx)71 static void clear_curl(struct http_ctx *ctx)
72 {
73 if (ctx->curl) {
74 curl_easy_cleanup(ctx->curl);
75 ctx->curl = NULL;
76 }
77 if (ctx->curl_hdr) {
78 curl_slist_free_all(ctx->curl_hdr);
79 ctx->curl_hdr = NULL;
80 }
81 }
82
83
clone_str(char ** dst,const char * src)84 static void clone_str(char **dst, const char *src)
85 {
86 os_free(*dst);
87 if (src)
88 *dst = os_strdup(src);
89 else
90 *dst = NULL;
91 }
92
93
debug_dump(struct http_ctx * ctx,const char * title,const char * buf,size_t len)94 static void debug_dump(struct http_ctx *ctx, const char *title,
95 const char *buf, size_t len)
96 {
97 char *txt;
98 size_t i;
99
100 for (i = 0; i < len; i++) {
101 if (buf[i] < 32 && buf[i] != '\t' && buf[i] != '\n' &&
102 buf[i] != '\r') {
103 wpa_hexdump_ascii(MSG_MSGDUMP, title, buf, len);
104 return;
105 }
106 }
107
108 txt = os_malloc(len + 1);
109 if (txt == NULL)
110 return;
111 os_memcpy(txt, buf, len);
112 txt[len] = '\0';
113 while (len > 0) {
114 len--;
115 if (txt[len] == '\n' || txt[len] == '\r')
116 txt[len] = '\0';
117 else
118 break;
119 }
120 wpa_printf(MSG_MSGDUMP, "%s[%s]", title, txt);
121 os_free(txt);
122 }
123
124
curl_cb_debug(CURL * curl,curl_infotype info,char * buf,size_t len,void * userdata)125 static int curl_cb_debug(CURL *curl, curl_infotype info, char *buf, size_t len,
126 void *userdata)
127 {
128 struct http_ctx *ctx = userdata;
129 switch (info) {
130 case CURLINFO_TEXT:
131 debug_dump(ctx, "CURLINFO_TEXT", buf, len);
132 break;
133 case CURLINFO_HEADER_IN:
134 debug_dump(ctx, "CURLINFO_HEADER_IN", buf, len);
135 break;
136 case CURLINFO_HEADER_OUT:
137 debug_dump(ctx, "CURLINFO_HEADER_OUT", buf, len);
138 break;
139 case CURLINFO_DATA_IN:
140 debug_dump(ctx, "CURLINFO_DATA_IN", buf, len);
141 break;
142 case CURLINFO_DATA_OUT:
143 debug_dump(ctx, "CURLINFO_DATA_OUT", buf, len);
144 break;
145 case CURLINFO_SSL_DATA_IN:
146 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_IN - %d",
147 (int) len);
148 break;
149 case CURLINFO_SSL_DATA_OUT:
150 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_OUT - %d",
151 (int) len);
152 break;
153 case CURLINFO_END:
154 wpa_printf(MSG_DEBUG, "debug - CURLINFO_END - %d",
155 (int) len);
156 break;
157 }
158 return 0;
159 }
160
161
curl_cb_write(void * ptr,size_t size,size_t nmemb,void * userdata)162 static size_t curl_cb_write(void *ptr, size_t size, size_t nmemb,
163 void *userdata)
164 {
165 struct http_ctx *ctx = userdata;
166 char *n;
167 n = os_realloc(ctx->curl_buf, ctx->curl_buf_len + size * nmemb + 1);
168 if (n == NULL)
169 return 0;
170 ctx->curl_buf = n;
171 os_memcpy(n + ctx->curl_buf_len, ptr, size * nmemb);
172 n[ctx->curl_buf_len + size * nmemb] = '\0';
173 ctx->curl_buf_len += size * nmemb;
174 return size * nmemb;
175 }
176
177
178 #ifdef EAP_TLS_OPENSSL
179
debug_dump_cert(const char * title,X509 * cert)180 static void debug_dump_cert(const char *title, X509 *cert)
181 {
182 BIO *out;
183 char *txt;
184 size_t rlen;
185
186 out = BIO_new(BIO_s_mem());
187 if (!out)
188 return;
189
190 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
191 rlen = BIO_ctrl_pending(out);
192 txt = os_malloc(rlen + 1);
193 if (txt) {
194 int res = BIO_read(out, txt, rlen);
195 if (res > 0) {
196 txt[res] = '\0';
197 wpa_printf(MSG_MSGDUMP, "%s:\n%s", title, txt);
198 }
199 os_free(txt);
200 }
201 BIO_free(out);
202 }
203
204
add_alt_name_othername(struct http_ctx * ctx,struct http_cert * cert,OTHERNAME * o)205 static void add_alt_name_othername(struct http_ctx *ctx, struct http_cert *cert,
206 OTHERNAME *o)
207 {
208 char txt[100];
209 int res;
210 struct http_othername *on;
211 ASN1_TYPE *val;
212
213 on = os_realloc_array(cert->othername, cert->num_othername + 1,
214 sizeof(struct http_othername));
215 if (on == NULL)
216 return;
217 cert->othername = on;
218 on = &on[cert->num_othername];
219 os_memset(on, 0, sizeof(*on));
220
221 res = OBJ_obj2txt(txt, sizeof(txt), o->type_id, 1);
222 if (res < 0 || res >= (int) sizeof(txt))
223 return;
224
225 on->oid = os_strdup(txt);
226 if (on->oid == NULL)
227 return;
228
229 val = o->value;
230 on->data = val->value.octet_string->data;
231 on->len = val->value.octet_string->length;
232
233 cert->num_othername++;
234 }
235
236
add_alt_name_dns(struct http_ctx * ctx,struct http_cert * cert,ASN1_STRING * name)237 static void add_alt_name_dns(struct http_ctx *ctx, struct http_cert *cert,
238 ASN1_STRING *name)
239 {
240 char *buf;
241 char **n;
242
243 buf = NULL;
244 if (ASN1_STRING_to_UTF8((unsigned char **) &buf, name) < 0)
245 return;
246
247 n = os_realloc_array(cert->dnsname, cert->num_dnsname + 1,
248 sizeof(char *));
249 if (n == NULL)
250 return;
251
252 cert->dnsname = n;
253 n[cert->num_dnsname] = buf;
254 cert->num_dnsname++;
255 }
256
257
add_alt_name(struct http_ctx * ctx,struct http_cert * cert,const GENERAL_NAME * name)258 static void add_alt_name(struct http_ctx *ctx, struct http_cert *cert,
259 const GENERAL_NAME *name)
260 {
261 switch (name->type) {
262 case GEN_OTHERNAME:
263 add_alt_name_othername(ctx, cert, name->d.otherName);
264 break;
265 case GEN_DNS:
266 add_alt_name_dns(ctx, cert, name->d.dNSName);
267 break;
268 }
269 }
270
271
add_alt_names(struct http_ctx * ctx,struct http_cert * cert,GENERAL_NAMES * names)272 static void add_alt_names(struct http_ctx *ctx, struct http_cert *cert,
273 GENERAL_NAMES *names)
274 {
275 int num, i;
276
277 num = sk_GENERAL_NAME_num(names);
278 for (i = 0; i < num; i++) {
279 const GENERAL_NAME *name;
280 name = sk_GENERAL_NAME_value(names, i);
281 add_alt_name(ctx, cert, name);
282 }
283 }
284
285
286 /* RFC 3709 */
287
288 typedef struct {
289 X509_ALGOR *hashAlg;
290 ASN1_OCTET_STRING *hashValue;
291 } HashAlgAndValue;
292
293 typedef struct {
294 STACK_OF(HashAlgAndValue) *refStructHash;
295 STACK_OF(ASN1_IA5STRING) *refStructURI;
296 } LogotypeReference;
297
298 typedef struct {
299 ASN1_IA5STRING *mediaType;
300 STACK_OF(HashAlgAndValue) *logotypeHash;
301 STACK_OF(ASN1_IA5STRING) *logotypeURI;
302 } LogotypeDetails;
303
304 typedef struct {
305 int type;
306 union {
307 ASN1_INTEGER *numBits;
308 ASN1_INTEGER *tableSize;
309 } d;
310 } LogotypeImageResolution;
311
312 typedef struct {
313 ASN1_INTEGER *type; /* LogotypeImageType ::= INTEGER */
314 ASN1_INTEGER *fileSize;
315 ASN1_INTEGER *xSize;
316 ASN1_INTEGER *ySize;
317 LogotypeImageResolution *resolution;
318 ASN1_IA5STRING *language;
319 } LogotypeImageInfo;
320
321 typedef struct {
322 LogotypeDetails *imageDetails;
323 LogotypeImageInfo *imageInfo;
324 } LogotypeImage;
325
326 typedef struct {
327 ASN1_INTEGER *fileSize;
328 ASN1_INTEGER *playTime;
329 ASN1_INTEGER *channels;
330 ASN1_INTEGER *sampleRate;
331 ASN1_IA5STRING *language;
332 } LogotypeAudioInfo;
333
334 typedef struct {
335 LogotypeDetails *audioDetails;
336 LogotypeAudioInfo *audioInfo;
337 } LogotypeAudio;
338
339 typedef struct {
340 STACK_OF(LogotypeImage) *image;
341 STACK_OF(LogotypeAudio) *audio;
342 } LogotypeData;
343
344 typedef struct {
345 int type;
346 union {
347 LogotypeData *direct;
348 LogotypeReference *indirect;
349 } d;
350 } LogotypeInfo;
351
352 typedef struct {
353 ASN1_OBJECT *logotypeType;
354 LogotypeInfo *info;
355 } OtherLogotypeInfo;
356
357 typedef struct {
358 STACK_OF(LogotypeInfo) *communityLogos;
359 LogotypeInfo *issuerLogo;
360 LogotypeInfo *subjectLogo;
361 STACK_OF(OtherLogotypeInfo) *otherLogos;
362 } LogotypeExtn;
363
364 ASN1_SEQUENCE(HashAlgAndValue) = {
365 ASN1_SIMPLE(HashAlgAndValue, hashAlg, X509_ALGOR),
366 ASN1_SIMPLE(HashAlgAndValue, hashValue, ASN1_OCTET_STRING)
367 } ASN1_SEQUENCE_END(HashAlgAndValue);
368
369 ASN1_SEQUENCE(LogotypeReference) = {
370 ASN1_SEQUENCE_OF(LogotypeReference, refStructHash, HashAlgAndValue),
371 ASN1_SEQUENCE_OF(LogotypeReference, refStructURI, ASN1_IA5STRING)
372 } ASN1_SEQUENCE_END(LogotypeReference);
373
374 ASN1_SEQUENCE(LogotypeDetails) = {
375 ASN1_SIMPLE(LogotypeDetails, mediaType, ASN1_IA5STRING),
376 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeHash, HashAlgAndValue),
377 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeURI, ASN1_IA5STRING)
378 } ASN1_SEQUENCE_END(LogotypeDetails);
379
380 ASN1_CHOICE(LogotypeImageResolution) = {
381 ASN1_IMP(LogotypeImageResolution, d.numBits, ASN1_INTEGER, 1),
382 ASN1_IMP(LogotypeImageResolution, d.tableSize, ASN1_INTEGER, 2)
383 } ASN1_CHOICE_END(LogotypeImageResolution);
384
385 ASN1_SEQUENCE(LogotypeImageInfo) = {
386 ASN1_IMP_OPT(LogotypeImageInfo, type, ASN1_INTEGER, 0),
387 ASN1_SIMPLE(LogotypeImageInfo, fileSize, ASN1_INTEGER),
388 ASN1_SIMPLE(LogotypeImageInfo, xSize, ASN1_INTEGER),
389 ASN1_SIMPLE(LogotypeImageInfo, ySize, ASN1_INTEGER),
390 ASN1_OPT(LogotypeImageInfo, resolution, LogotypeImageResolution),
391 ASN1_IMP_OPT(LogotypeImageInfo, language, ASN1_IA5STRING, 4),
392 } ASN1_SEQUENCE_END(LogotypeImageInfo);
393
394 ASN1_SEQUENCE(LogotypeImage) = {
395 ASN1_SIMPLE(LogotypeImage, imageDetails, LogotypeDetails),
396 ASN1_OPT(LogotypeImage, imageInfo, LogotypeImageInfo)
397 } ASN1_SEQUENCE_END(LogotypeImage);
398
399 ASN1_SEQUENCE(LogotypeAudioInfo) = {
400 ASN1_SIMPLE(LogotypeAudioInfo, fileSize, ASN1_INTEGER),
401 ASN1_SIMPLE(LogotypeAudioInfo, playTime, ASN1_INTEGER),
402 ASN1_SIMPLE(LogotypeAudioInfo, channels, ASN1_INTEGER),
403 ASN1_IMP_OPT(LogotypeAudioInfo, sampleRate, ASN1_INTEGER, 3),
404 ASN1_IMP_OPT(LogotypeAudioInfo, language, ASN1_IA5STRING, 4)
405 } ASN1_SEQUENCE_END(LogotypeAudioInfo);
406
407 ASN1_SEQUENCE(LogotypeAudio) = {
408 ASN1_SIMPLE(LogotypeAudio, audioDetails, LogotypeDetails),
409 ASN1_OPT(LogotypeAudio, audioInfo, LogotypeAudioInfo)
410 } ASN1_SEQUENCE_END(LogotypeAudio);
411
412 ASN1_SEQUENCE(LogotypeData) = {
413 ASN1_SEQUENCE_OF_OPT(LogotypeData, image, LogotypeImage),
414 ASN1_IMP_SEQUENCE_OF_OPT(LogotypeData, audio, LogotypeAudio, 1)
415 } ASN1_SEQUENCE_END(LogotypeData);
416
417 ASN1_CHOICE(LogotypeInfo) = {
418 ASN1_IMP(LogotypeInfo, d.direct, LogotypeData, 0),
419 ASN1_IMP(LogotypeInfo, d.indirect, LogotypeReference, 1)
420 } ASN1_CHOICE_END(LogotypeInfo);
421
422 ASN1_SEQUENCE(OtherLogotypeInfo) = {
423 ASN1_SIMPLE(OtherLogotypeInfo, logotypeType, ASN1_OBJECT),
424 ASN1_SIMPLE(OtherLogotypeInfo, info, LogotypeInfo)
425 } ASN1_SEQUENCE_END(OtherLogotypeInfo);
426
427 ASN1_SEQUENCE(LogotypeExtn) = {
428 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, communityLogos, LogotypeInfo, 0),
429 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 1),
430 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 2),
431 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, otherLogos, OtherLogotypeInfo, 3)
432 } ASN1_SEQUENCE_END(LogotypeExtn);
433
434 IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn);
435
436 #if OPENSSL_VERSION_NUMBER < 0x10100000L
437 #define sk_LogotypeInfo_num(st) SKM_sk_num(LogotypeInfo, (st))
438 #define sk_LogotypeInfo_value(st, i) SKM_sk_value(LogotypeInfo, (st), (i))
439 #define sk_LogotypeImage_num(st) SKM_sk_num(LogotypeImage, (st))
440 #define sk_LogotypeImage_value(st, i) SKM_sk_value(LogotypeImage, (st), (i))
441 #define sk_LogotypeAudio_num(st) SKM_sk_num(LogotypeAudio, (st))
442 #define sk_LogotypeAudio_value(st, i) SKM_sk_value(LogotypeAudio, (st), (i))
443 #define sk_HashAlgAndValue_num(st) SKM_sk_num(HashAlgAndValue, (st))
444 #define sk_HashAlgAndValue_value(st, i) SKM_sk_value(HashAlgAndValue, (st), (i))
445 #define sk_ASN1_IA5STRING_num(st) SKM_sk_num(ASN1_IA5STRING, (st))
446 #define sk_ASN1_IA5STRING_value(st, i) SKM_sk_value(ASN1_IA5STRING, (st), (i))
447 #else
448 DEFINE_STACK_OF(LogotypeInfo)
DEFINE_STACK_OF(LogotypeImage)449 DEFINE_STACK_OF(LogotypeImage)
450 DEFINE_STACK_OF(LogotypeAudio)
451 DEFINE_STACK_OF(HashAlgAndValue)
452 DEFINE_STACK_OF(ASN1_IA5STRING)
453 #endif
454
455
456 static void add_logo(struct http_ctx *ctx, struct http_cert *hcert,
457 HashAlgAndValue *hash, ASN1_IA5STRING *uri)
458 {
459 char txt[100];
460 int res, len;
461 struct http_logo *n;
462
463 if (hash == NULL || uri == NULL)
464 return;
465
466 res = OBJ_obj2txt(txt, sizeof(txt), hash->hashAlg->algorithm, 1);
467 if (res < 0 || res >= (int) sizeof(txt))
468 return;
469
470 n = os_realloc_array(hcert->logo, hcert->num_logo + 1,
471 sizeof(struct http_logo));
472 if (n == NULL)
473 return;
474 hcert->logo = n;
475 n = &hcert->logo[hcert->num_logo];
476 os_memset(n, 0, sizeof(*n));
477
478 n->alg_oid = os_strdup(txt);
479 if (n->alg_oid == NULL)
480 return;
481
482 n->hash_len = ASN1_STRING_length(hash->hashValue);
483 n->hash = os_memdup(ASN1_STRING_get0_data(hash->hashValue),
484 n->hash_len);
485 if (n->hash == NULL) {
486 os_free(n->alg_oid);
487 return;
488 }
489
490 len = ASN1_STRING_length(uri);
491 n->uri = os_malloc(len + 1);
492 if (n->uri == NULL) {
493 os_free(n->alg_oid);
494 os_free(n->hash);
495 return;
496 }
497 os_memcpy(n->uri, ASN1_STRING_get0_data(uri), len);
498 n->uri[len] = '\0';
499
500 hcert->num_logo++;
501 }
502
503
add_logo_direct(struct http_ctx * ctx,struct http_cert * hcert,LogotypeData * data)504 static void add_logo_direct(struct http_ctx *ctx, struct http_cert *hcert,
505 LogotypeData *data)
506 {
507 int i, num;
508
509 if (data->image == NULL)
510 return;
511
512 num = sk_LogotypeImage_num(data->image);
513 for (i = 0; i < num; i++) {
514 LogotypeImage *image;
515 LogotypeDetails *details;
516 int j, hash_num, uri_num;
517 HashAlgAndValue *found_hash = NULL;
518
519 image = sk_LogotypeImage_value(data->image, i);
520 if (image == NULL)
521 continue;
522
523 details = image->imageDetails;
524 if (details == NULL)
525 continue;
526
527 hash_num = sk_HashAlgAndValue_num(details->logotypeHash);
528 for (j = 0; j < hash_num; j++) {
529 HashAlgAndValue *hash;
530 char txt[100];
531 int res;
532 hash = sk_HashAlgAndValue_value(details->logotypeHash,
533 j);
534 if (hash == NULL)
535 continue;
536 res = OBJ_obj2txt(txt, sizeof(txt),
537 hash->hashAlg->algorithm, 1);
538 if (res < 0 || res >= (int) sizeof(txt))
539 continue;
540 if (os_strcmp(txt, "2.16.840.1.101.3.4.2.1") == 0) {
541 found_hash = hash;
542 break;
543 }
544 }
545
546 if (!found_hash) {
547 wpa_printf(MSG_DEBUG, "OpenSSL: No SHA256 hash found for the logo");
548 continue;
549 }
550
551 uri_num = sk_ASN1_IA5STRING_num(details->logotypeURI);
552 for (j = 0; j < uri_num; j++) {
553 ASN1_IA5STRING *uri;
554 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, j);
555 add_logo(ctx, hcert, found_hash, uri);
556 }
557 }
558 }
559
560
add_logo_indirect(struct http_ctx * ctx,struct http_cert * hcert,LogotypeReference * ref)561 static void add_logo_indirect(struct http_ctx *ctx, struct http_cert *hcert,
562 LogotypeReference *ref)
563 {
564 int j, hash_num, uri_num;
565
566 hash_num = sk_HashAlgAndValue_num(ref->refStructHash);
567 uri_num = sk_ASN1_IA5STRING_num(ref->refStructURI);
568 if (hash_num != uri_num) {
569 wpa_printf(MSG_INFO, "Unexpected LogotypeReference array size difference %d != %d",
570 hash_num, uri_num);
571 return;
572 }
573
574 for (j = 0; j < hash_num; j++) {
575 HashAlgAndValue *hash;
576 ASN1_IA5STRING *uri;
577 hash = sk_HashAlgAndValue_value(ref->refStructHash, j);
578 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, j);
579 add_logo(ctx, hcert, hash, uri);
580 }
581 }
582
583
i2r_HashAlgAndValue(HashAlgAndValue * hash,BIO * out,int indent)584 static void i2r_HashAlgAndValue(HashAlgAndValue *hash, BIO *out, int indent)
585 {
586 int i;
587 const unsigned char *data;
588
589 BIO_printf(out, "%*shashAlg: ", indent, "");
590 i2a_ASN1_OBJECT(out, hash->hashAlg->algorithm);
591 BIO_printf(out, "\n");
592
593 BIO_printf(out, "%*shashValue: ", indent, "");
594 data = hash->hashValue->data;
595 for (i = 0; i < hash->hashValue->length; i++)
596 BIO_printf(out, "%s%02x", i > 0 ? ":" : "", data[i]);
597 BIO_printf(out, "\n");
598 }
599
i2r_LogotypeDetails(LogotypeDetails * details,BIO * out,int indent)600 static void i2r_LogotypeDetails(LogotypeDetails *details, BIO *out, int indent)
601 {
602 int i, num;
603
604 BIO_printf(out, "%*sLogotypeDetails\n", indent, "");
605 if (details->mediaType) {
606 BIO_printf(out, "%*smediaType: ", indent, "");
607 ASN1_STRING_print(out, details->mediaType);
608 BIO_printf(out, "\n");
609 }
610
611 num = details->logotypeHash ?
612 sk_HashAlgAndValue_num(details->logotypeHash) : 0;
613 for (i = 0; i < num; i++) {
614 HashAlgAndValue *hash;
615 hash = sk_HashAlgAndValue_value(details->logotypeHash, i);
616 i2r_HashAlgAndValue(hash, out, indent);
617 }
618
619 num = details->logotypeURI ?
620 sk_ASN1_IA5STRING_num(details->logotypeURI) : 0;
621 for (i = 0; i < num; i++) {
622 ASN1_IA5STRING *uri;
623 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, i);
624 BIO_printf(out, "%*slogotypeURI: ", indent, "");
625 ASN1_STRING_print(out, uri);
626 BIO_printf(out, "\n");
627 }
628 }
629
i2r_LogotypeImageInfo(LogotypeImageInfo * info,BIO * out,int indent)630 static void i2r_LogotypeImageInfo(LogotypeImageInfo *info, BIO *out, int indent)
631 {
632 long val;
633
634 BIO_printf(out, "%*sLogotypeImageInfo\n", indent, "");
635 if (info->type) {
636 val = ASN1_INTEGER_get(info->type);
637 BIO_printf(out, "%*stype: %ld\n", indent, "", val);
638 } else {
639 BIO_printf(out, "%*stype: default (1)\n", indent, "");
640 }
641 val = ASN1_INTEGER_get(info->fileSize);
642 BIO_printf(out, "%*sfileSize: %ld\n", indent, "", val);
643 val = ASN1_INTEGER_get(info->xSize);
644 BIO_printf(out, "%*sxSize: %ld\n", indent, "", val);
645 val = ASN1_INTEGER_get(info->ySize);
646 BIO_printf(out, "%*sySize: %ld\n", indent, "", val);
647 if (info->resolution) {
648 BIO_printf(out, "%*sresolution [%d]\n", indent, "",
649 info->resolution->type);
650 switch (info->resolution->type) {
651 case 0:
652 val = ASN1_INTEGER_get(info->resolution->d.numBits);
653 BIO_printf(out, "%*snumBits: %ld\n", indent, "", val);
654 break;
655 case 1:
656 val = ASN1_INTEGER_get(info->resolution->d.tableSize);
657 BIO_printf(out, "%*stableSize: %ld\n", indent, "", val);
658 break;
659 }
660 }
661 if (info->language) {
662 BIO_printf(out, "%*slanguage: ", indent, "");
663 ASN1_STRING_print(out, info->language);
664 BIO_printf(out, "\n");
665 }
666 }
667
i2r_LogotypeImage(LogotypeImage * image,BIO * out,int indent)668 static void i2r_LogotypeImage(LogotypeImage *image, BIO *out, int indent)
669 {
670 BIO_printf(out, "%*sLogotypeImage\n", indent, "");
671 if (image->imageDetails) {
672 i2r_LogotypeDetails(image->imageDetails, out, indent + 4);
673 }
674 if (image->imageInfo) {
675 i2r_LogotypeImageInfo(image->imageInfo, out, indent + 4);
676 }
677 }
678
i2r_LogotypeData(LogotypeData * data,const char * title,BIO * out,int indent)679 static void i2r_LogotypeData(LogotypeData *data, const char *title, BIO *out,
680 int indent)
681 {
682 int i, num;
683
684 BIO_printf(out, "%*s%s - LogotypeData\n", indent, "", title);
685
686 num = data->image ? sk_LogotypeImage_num(data->image) : 0;
687 for (i = 0; i < num; i++) {
688 LogotypeImage *image = sk_LogotypeImage_value(data->image, i);
689 i2r_LogotypeImage(image, out, indent + 4);
690 }
691
692 num = data->audio ? sk_LogotypeAudio_num(data->audio) : 0;
693 for (i = 0; i < num; i++) {
694 BIO_printf(out, "%*saudio: TODO\n", indent, "");
695 }
696 }
697
i2r_LogotypeReference(LogotypeReference * ref,const char * title,BIO * out,int indent)698 static void i2r_LogotypeReference(LogotypeReference *ref, const char *title,
699 BIO *out, int indent)
700 {
701 int i, hash_num, uri_num;
702
703 BIO_printf(out, "%*s%s - LogotypeReference\n", indent, "", title);
704
705 hash_num = ref->refStructHash ?
706 sk_HashAlgAndValue_num(ref->refStructHash) : 0;
707 uri_num = ref->refStructURI ?
708 sk_ASN1_IA5STRING_num(ref->refStructURI) : 0;
709 if (hash_num != uri_num) {
710 BIO_printf(out, "%*sUnexpected LogotypeReference array size difference %d != %d\n",
711 indent, "", hash_num, uri_num);
712 return;
713 }
714
715 for (i = 0; i < hash_num; i++) {
716 HashAlgAndValue *hash;
717 ASN1_IA5STRING *uri;
718
719 hash = sk_HashAlgAndValue_value(ref->refStructHash, i);
720 i2r_HashAlgAndValue(hash, out, indent);
721
722 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, i);
723 BIO_printf(out, "%*srefStructURI: ", indent, "");
724 ASN1_STRING_print(out, uri);
725 BIO_printf(out, "\n");
726 }
727 }
728
i2r_LogotypeInfo(LogotypeInfo * info,const char * title,BIO * out,int indent)729 static void i2r_LogotypeInfo(LogotypeInfo *info, const char *title, BIO *out,
730 int indent)
731 {
732 switch (info->type) {
733 case 0:
734 i2r_LogotypeData(info->d.direct, title, out, indent);
735 break;
736 case 1:
737 i2r_LogotypeReference(info->d.indirect, title, out, indent);
738 break;
739 }
740 }
741
debug_print_logotypeext(LogotypeExtn * logo)742 static void debug_print_logotypeext(LogotypeExtn *logo)
743 {
744 BIO *out;
745 int i, num;
746 int indent = 0;
747
748 out = BIO_new_fp(stdout, BIO_NOCLOSE);
749 if (out == NULL)
750 return;
751
752 if (logo->communityLogos) {
753 num = sk_LogotypeInfo_num(logo->communityLogos);
754 for (i = 0; i < num; i++) {
755 LogotypeInfo *info;
756 info = sk_LogotypeInfo_value(logo->communityLogos, i);
757 i2r_LogotypeInfo(info, "communityLogo", out, indent);
758 }
759 }
760
761 if (logo->issuerLogo) {
762 i2r_LogotypeInfo(logo->issuerLogo, "issuerLogo", out, indent );
763 }
764
765 if (logo->subjectLogo) {
766 i2r_LogotypeInfo(logo->subjectLogo, "subjectLogo", out, indent);
767 }
768
769 if (logo->otherLogos) {
770 BIO_printf(out, "%*sotherLogos - TODO\n", indent, "");
771 }
772
773 BIO_free(out);
774 }
775
776
add_logotype_ext(struct http_ctx * ctx,struct http_cert * hcert,X509 * cert)777 static void add_logotype_ext(struct http_ctx *ctx, struct http_cert *hcert,
778 X509 *cert)
779 {
780 ASN1_OBJECT *obj;
781 int pos;
782 X509_EXTENSION *ext;
783 ASN1_OCTET_STRING *os;
784 LogotypeExtn *logo;
785 const unsigned char *data;
786 int i, num;
787
788 obj = OBJ_txt2obj("1.3.6.1.5.5.7.1.12", 0);
789 if (obj == NULL)
790 return;
791
792 pos = X509_get_ext_by_OBJ(cert, obj, -1);
793 if (pos < 0) {
794 wpa_printf(MSG_INFO, "No logotype extension included");
795 return;
796 }
797
798 wpa_printf(MSG_INFO, "Parsing logotype extension");
799 ext = X509_get_ext(cert, pos);
800 if (!ext) {
801 wpa_printf(MSG_INFO, "Could not get logotype extension");
802 return;
803 }
804
805 os = X509_EXTENSION_get_data(ext);
806 if (os == NULL) {
807 wpa_printf(MSG_INFO, "Could not get logotype extension data");
808 return;
809 }
810
811 wpa_hexdump(MSG_DEBUG, "logotypeExtn",
812 ASN1_STRING_get0_data(os), ASN1_STRING_length(os));
813
814 data = ASN1_STRING_get0_data(os);
815 logo = d2i_LogotypeExtn(NULL, &data, ASN1_STRING_length(os));
816 if (logo == NULL) {
817 wpa_printf(MSG_INFO, "Failed to parse logotypeExtn");
818 return;
819 }
820
821 if (wpa_debug_level < MSG_INFO)
822 debug_print_logotypeext(logo);
823
824 if (!logo->communityLogos) {
825 wpa_printf(MSG_INFO, "No communityLogos included");
826 LogotypeExtn_free(logo);
827 return;
828 }
829
830 num = sk_LogotypeInfo_num(logo->communityLogos);
831 for (i = 0; i < num; i++) {
832 LogotypeInfo *info;
833 info = sk_LogotypeInfo_value(logo->communityLogos, i);
834 switch (info->type) {
835 case 0:
836 add_logo_direct(ctx, hcert, info->d.direct);
837 break;
838 case 1:
839 add_logo_indirect(ctx, hcert, info->d.indirect);
840 break;
841 }
842 }
843
844 LogotypeExtn_free(logo);
845 }
846
847
parse_cert(struct http_ctx * ctx,struct http_cert * hcert,X509 * cert,GENERAL_NAMES ** names)848 static void parse_cert(struct http_ctx *ctx, struct http_cert *hcert,
849 X509 *cert, GENERAL_NAMES **names)
850 {
851 os_memset(hcert, 0, sizeof(*hcert));
852 hcert->url = ctx->url ? ctx->url : ctx->svc_address;
853
854 *names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
855 if (*names)
856 add_alt_names(ctx, hcert, *names);
857
858 add_logotype_ext(ctx, hcert, cert);
859 }
860
861
parse_cert_free(struct http_cert * hcert,GENERAL_NAMES * names)862 static void parse_cert_free(struct http_cert *hcert, GENERAL_NAMES *names)
863 {
864 unsigned int i;
865
866 for (i = 0; i < hcert->num_dnsname; i++)
867 OPENSSL_free(hcert->dnsname[i]);
868 os_free(hcert->dnsname);
869
870 for (i = 0; i < hcert->num_othername; i++)
871 os_free(hcert->othername[i].oid);
872 os_free(hcert->othername);
873
874 for (i = 0; i < hcert->num_logo; i++) {
875 os_free(hcert->logo[i].alg_oid);
876 os_free(hcert->logo[i].hash);
877 os_free(hcert->logo[i].uri);
878 }
879 os_free(hcert->logo);
880
881 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
882 }
883
884
validate_server_cert(struct http_ctx * ctx,X509 * cert)885 static int validate_server_cert(struct http_ctx *ctx, X509 *cert)
886 {
887 GENERAL_NAMES *names;
888 struct http_cert hcert;
889 int ret;
890
891 if (ctx->cert_cb == NULL) {
892 wpa_printf(MSG_DEBUG, "%s: no cert_cb configured", __func__);
893 return 0;
894 }
895
896 if (0) {
897 BIO *out;
898 out = BIO_new_fp(stdout, BIO_NOCLOSE);
899 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
900 BIO_free(out);
901 }
902
903 parse_cert(ctx, &hcert, cert, &names);
904 ret = ctx->cert_cb(ctx->cert_cb_ctx, &hcert);
905 parse_cert_free(&hcert, names);
906
907 return ret;
908 }
909
910
http_parse_x509_certificate(struct http_ctx * ctx,const char * fname)911 void http_parse_x509_certificate(struct http_ctx *ctx, const char *fname)
912 {
913 BIO *in, *out;
914 X509 *cert;
915 GENERAL_NAMES *names;
916 struct http_cert hcert;
917 unsigned int i;
918
919 in = BIO_new_file(fname, "r");
920 if (in == NULL) {
921 wpa_printf(MSG_ERROR, "Could not read '%s'", fname);
922 return;
923 }
924
925 cert = d2i_X509_bio(in, NULL);
926 BIO_free(in);
927
928 if (cert == NULL) {
929 wpa_printf(MSG_ERROR, "Could not parse certificate");
930 return;
931 }
932
933 out = BIO_new_fp(stdout, BIO_NOCLOSE);
934 if (out) {
935 X509_print_ex(out, cert, XN_FLAG_COMPAT,
936 X509_FLAG_COMPAT);
937 BIO_free(out);
938 }
939
940 wpa_printf(MSG_INFO, "Additional parsing information:");
941 parse_cert(ctx, &hcert, cert, &names);
942 for (i = 0; i < hcert.num_othername; i++) {
943 if (os_strcmp(hcert.othername[i].oid,
944 "1.3.6.1.4.1.40808.1.1.1") == 0) {
945 char *name = os_zalloc(hcert.othername[i].len + 1);
946 if (name) {
947 os_memcpy(name, hcert.othername[i].data,
948 hcert.othername[i].len);
949 wpa_printf(MSG_INFO,
950 "id-wfa-hotspot-friendlyName: %s",
951 name);
952 os_free(name);
953 }
954 wpa_hexdump_ascii(MSG_INFO,
955 "id-wfa-hotspot-friendlyName",
956 hcert.othername[i].data,
957 hcert.othername[i].len);
958 } else {
959 wpa_printf(MSG_INFO, "subjAltName[othername]: oid=%s",
960 hcert.othername[i].oid);
961 wpa_hexdump_ascii(MSG_INFO, "unknown othername",
962 hcert.othername[i].data,
963 hcert.othername[i].len);
964 }
965 }
966 parse_cert_free(&hcert, names);
967
968 X509_free(cert);
969 }
970
971
curl_cb_ssl_verify(int preverify_ok,X509_STORE_CTX * x509_ctx)972 static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
973 {
974 struct http_ctx *ctx;
975 X509 *cert;
976 int err, depth;
977 char buf[256];
978 X509_NAME *name;
979 const char *err_str;
980 SSL *ssl;
981 SSL_CTX *ssl_ctx;
982
983 ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
984 SSL_get_ex_data_X509_STORE_CTX_idx());
985 ssl_ctx = SSL_get_SSL_CTX(ssl);
986 ctx = SSL_CTX_get_app_data(ssl_ctx);
987
988 wpa_printf(MSG_DEBUG, "curl_cb_ssl_verify, preverify_ok: %d",
989 preverify_ok);
990
991 err = X509_STORE_CTX_get_error(x509_ctx);
992 err_str = X509_verify_cert_error_string(err);
993 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
994 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
995 if (!cert) {
996 wpa_printf(MSG_INFO, "No server certificate available");
997 ctx->last_err = "No server certificate available";
998 return 0;
999 }
1000
1001 if (depth == 0)
1002 ctx->peer_cert = cert;
1003 else if (depth == 1)
1004 ctx->peer_issuer = cert;
1005 else if (depth == 2)
1006 ctx->peer_issuer_issuer = cert;
1007
1008 name = X509_get_subject_name(cert);
1009 X509_NAME_oneline(name, buf, sizeof(buf));
1010 wpa_printf(MSG_INFO, "Server certificate chain - depth=%d err=%d (%s) subject=%s",
1011 depth, err, err_str, buf);
1012 debug_dump_cert("Server certificate chain - certificate", cert);
1013
1014 if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0)
1015 return 0;
1016
1017 #ifdef OPENSSL_IS_BORINGSSL
1018 if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) {
1019 enum ocsp_result res;
1020
1021 res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer,
1022 ctx->peer_issuer_issuer);
1023 if (res == OCSP_REVOKED) {
1024 preverify_ok = 0;
1025 wpa_printf(MSG_INFO, "OCSP: certificate revoked");
1026 if (err == X509_V_OK)
1027 X509_STORE_CTX_set_error(
1028 x509_ctx, X509_V_ERR_CERT_REVOKED);
1029 } else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) {
1030 preverify_ok = 0;
1031 wpa_printf(MSG_INFO,
1032 "OCSP: bad certificate status response");
1033 }
1034 }
1035 #endif /* OPENSSL_IS_BORINGSSL */
1036
1037 if (!preverify_ok)
1038 ctx->last_err = "TLS validation failed";
1039
1040 return preverify_ok;
1041 }
1042
1043
1044 #ifdef HAVE_OCSP
1045
ocsp_debug_print_resp(OCSP_RESPONSE * rsp)1046 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
1047 {
1048 BIO *out;
1049 size_t rlen;
1050 char *txt;
1051 int res;
1052
1053 out = BIO_new(BIO_s_mem());
1054 if (!out)
1055 return;
1056
1057 OCSP_RESPONSE_print(out, rsp, 0);
1058 rlen = BIO_ctrl_pending(out);
1059 txt = os_malloc(rlen + 1);
1060 if (!txt) {
1061 BIO_free(out);
1062 return;
1063 }
1064
1065 res = BIO_read(out, txt, rlen);
1066 if (res > 0) {
1067 txt[res] = '\0';
1068 wpa_printf(MSG_MSGDUMP, "OpenSSL: OCSP Response\n%s", txt);
1069 }
1070 os_free(txt);
1071 BIO_free(out);
1072 }
1073
1074
tls_show_errors(const char * func,const char * txt)1075 static void tls_show_errors(const char *func, const char *txt)
1076 {
1077 unsigned long err;
1078
1079 wpa_printf(MSG_DEBUG, "OpenSSL: %s - %s %s",
1080 func, txt, ERR_error_string(ERR_get_error(), NULL));
1081
1082 while ((err = ERR_get_error())) {
1083 wpa_printf(MSG_DEBUG, "OpenSSL: pending error: %s",
1084 ERR_error_string(err, NULL));
1085 }
1086 }
1087
1088
ocsp_resp_cb(SSL * s,void * arg)1089 static int ocsp_resp_cb(SSL *s, void *arg)
1090 {
1091 struct http_ctx *ctx = arg;
1092 const unsigned char *p;
1093 int len, status, reason, res;
1094 OCSP_RESPONSE *rsp;
1095 OCSP_BASICRESP *basic;
1096 OCSP_CERTID *id;
1097 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
1098 X509_STORE *store;
1099 STACK_OF(X509) *certs = NULL;
1100
1101 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1102 if (!p) {
1103 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
1104 if (ctx->ocsp == MANDATORY_OCSP)
1105 ctx->last_err = "No OCSP response received";
1106 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1107 }
1108
1109 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
1110
1111 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1112 if (!rsp) {
1113 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
1114 ctx->last_err = "Failed to parse OCSP response";
1115 return 0;
1116 }
1117
1118 ocsp_debug_print_resp(rsp);
1119
1120 status = OCSP_response_status(rsp);
1121 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1122 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
1123 status, OCSP_response_status_str(status));
1124 ctx->last_err = "OCSP responder error";
1125 return 0;
1126 }
1127
1128 basic = OCSP_response_get1_basic(rsp);
1129 if (!basic) {
1130 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
1131 ctx->last_err = "Could not find BasicOCSPResponse";
1132 return 0;
1133 }
1134
1135 store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s));
1136 if (ctx->peer_issuer) {
1137 wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer");
1138 debug_dump_cert("OpenSSL: Issuer certificate",
1139 ctx->peer_issuer);
1140
1141 if (X509_STORE_add_cert(store, ctx->peer_issuer) != 1) {
1142 tls_show_errors(__func__,
1143 "OpenSSL: Could not add issuer to certificate store");
1144 }
1145 certs = sk_X509_new_null();
1146 if (certs) {
1147 X509 *cert;
1148 cert = X509_dup(ctx->peer_issuer);
1149 if (cert && !sk_X509_push(certs, cert)) {
1150 tls_show_errors(
1151 __func__,
1152 "OpenSSL: Could not add issuer to OCSP responder trust store");
1153 X509_free(cert);
1154 sk_X509_free(certs);
1155 certs = NULL;
1156 }
1157 if (certs && ctx->peer_issuer_issuer) {
1158 cert = X509_dup(ctx->peer_issuer_issuer);
1159 if (cert && !sk_X509_push(certs, cert)) {
1160 tls_show_errors(
1161 __func__,
1162 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
1163 X509_free(cert);
1164 }
1165 }
1166 }
1167 }
1168
1169 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
1170 sk_X509_pop_free(certs, X509_free);
1171 if (status <= 0) {
1172 tls_show_errors(__func__,
1173 "OpenSSL: OCSP response failed verification");
1174 OCSP_BASICRESP_free(basic);
1175 OCSP_RESPONSE_free(rsp);
1176 ctx->last_err = "OCSP response failed verification";
1177 return 0;
1178 }
1179
1180 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
1181
1182 if (!ctx->peer_cert) {
1183 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
1184 OCSP_BASICRESP_free(basic);
1185 OCSP_RESPONSE_free(rsp);
1186 ctx->last_err = "Peer certificate not available for OCSP status check";
1187 return 0;
1188 }
1189
1190 if (!ctx->peer_issuer) {
1191 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
1192 OCSP_BASICRESP_free(basic);
1193 OCSP_RESPONSE_free(rsp);
1194 ctx->last_err = "Peer issuer certificate not available for OCSP status check";
1195 return 0;
1196 }
1197
1198 id = OCSP_cert_to_id(EVP_sha256(), ctx->peer_cert, ctx->peer_issuer);
1199 if (!id) {
1200 wpa_printf(MSG_DEBUG,
1201 "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
1202 OCSP_BASICRESP_free(basic);
1203 OCSP_RESPONSE_free(rsp);
1204 ctx->last_err = "Could not create OCSP certificate identifier";
1205 return 0;
1206 }
1207
1208 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
1209 &this_update, &next_update);
1210 if (!res) {
1211 id = OCSP_cert_to_id(NULL, ctx->peer_cert, ctx->peer_issuer);
1212 if (!id) {
1213 wpa_printf(MSG_DEBUG,
1214 "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
1215 OCSP_BASICRESP_free(basic);
1216 OCSP_RESPONSE_free(rsp);
1217 ctx->last_err =
1218 "Could not create OCSP certificate identifier";
1219 return 0;
1220 }
1221
1222 res = OCSP_resp_find_status(basic, id, &status, &reason,
1223 &produced_at, &this_update,
1224 &next_update);
1225 }
1226
1227 if (!res) {
1228 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
1229 (ctx->ocsp == MANDATORY_OCSP) ? "" :
1230 " (OCSP not required)");
1231 OCSP_CERTID_free(id);
1232 OCSP_BASICRESP_free(basic);
1233 OCSP_RESPONSE_free(rsp);
1234 if (ctx->ocsp == MANDATORY_OCSP)
1235
1236 ctx->last_err = "Could not find current server certificate from OCSP response";
1237 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1238 }
1239 OCSP_CERTID_free(id);
1240
1241 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
1242 tls_show_errors(__func__, "OpenSSL: OCSP status times invalid");
1243 OCSP_BASICRESP_free(basic);
1244 OCSP_RESPONSE_free(rsp);
1245 ctx->last_err = "OCSP status times invalid";
1246 return 0;
1247 }
1248
1249 OCSP_BASICRESP_free(basic);
1250 OCSP_RESPONSE_free(rsp);
1251
1252 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
1253 OCSP_cert_status_str(status));
1254
1255 if (status == V_OCSP_CERTSTATUS_GOOD)
1256 return 1;
1257 if (status == V_OCSP_CERTSTATUS_REVOKED) {
1258 ctx->last_err = "Server certificate has been revoked";
1259 return 0;
1260 }
1261 if (ctx->ocsp == MANDATORY_OCSP) {
1262 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
1263 ctx->last_err = "OCSP status unknown";
1264 return 0;
1265 }
1266 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
1267 return 1;
1268 }
1269
1270
1271 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1272 static SSL_METHOD patch_ssl_method;
1273 static const SSL_METHOD *real_ssl_method;
1274
curl_patch_ssl_new(SSL * s)1275 static int curl_patch_ssl_new(SSL *s)
1276 {
1277 SSL_CTX *ssl = SSL_get_SSL_CTX(s);
1278 int ret;
1279
1280 ssl->method = real_ssl_method;
1281 s->method = real_ssl_method;
1282
1283 ret = s->method->ssl_new(s);
1284 SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp);
1285
1286 return ret;
1287 }
1288 #endif /* OpenSSL < 1.1.0 */
1289
1290 #endif /* HAVE_OCSP */
1291
1292
curl_cb_ssl(CURL * curl,void * sslctx,void * parm)1293 static CURLcode curl_cb_ssl(CURL *curl, void *sslctx, void *parm)
1294 {
1295 struct http_ctx *ctx = parm;
1296 SSL_CTX *ssl = sslctx;
1297
1298 wpa_printf(MSG_DEBUG, "curl_cb_ssl");
1299 SSL_CTX_set_app_data(ssl, ctx);
1300 SSL_CTX_set_verify(ssl, SSL_VERIFY_PEER, curl_cb_ssl_verify);
1301
1302 #ifdef HAVE_OCSP
1303 if (ctx->ocsp != NO_OCSP) {
1304 SSL_CTX_set_tlsext_status_cb(ssl, ocsp_resp_cb);
1305 SSL_CTX_set_tlsext_status_arg(ssl, ctx);
1306
1307 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1308 /*
1309 * Use a temporary SSL_METHOD to get a callback on SSL_new()
1310 * from libcurl since there is no proper callback registration
1311 * available for this.
1312 */
1313 os_memset(&patch_ssl_method, 0, sizeof(patch_ssl_method));
1314 patch_ssl_method.ssl_new = curl_patch_ssl_new;
1315 real_ssl_method = ssl->method;
1316 ssl->method = &patch_ssl_method;
1317 #endif /* OpenSSL < 1.1.0 */
1318 }
1319 #endif /* HAVE_OCSP */
1320
1321 return CURLE_OK;
1322 }
1323
1324 #endif /* EAP_TLS_OPENSSL */
1325
1326
setup_curl_post(struct http_ctx * ctx,const char * address,const char * ca_fname,const char * username,const char * password,const char * client_cert,const char * client_key)1327 static CURL * setup_curl_post(struct http_ctx *ctx, const char *address,
1328 const char *ca_fname, const char *username,
1329 const char *password, const char *client_cert,
1330 const char *client_key)
1331 {
1332 CURL *curl;
1333 #ifdef EAP_TLS_OPENSSL
1334 const char *extra = " tls=openssl";
1335 #else /* EAP_TLS_OPENSSL */
1336 const char *extra = "";
1337 #endif /* EAP_TLS_OPENSSL */
1338
1339 wpa_printf(MSG_DEBUG, "Start HTTP client: address=%s ca_fname=%s "
1340 "username=%s%s", address, ca_fname, username, extra);
1341
1342 curl = curl_easy_init();
1343 if (curl == NULL)
1344 return NULL;
1345
1346 curl_easy_setopt(curl, CURLOPT_URL, address);
1347 curl_easy_setopt(curl, CURLOPT_POST, 1L);
1348 if (ca_fname) {
1349 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1350 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1351 #ifdef EAP_TLS_OPENSSL
1352 curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl);
1353 curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx);
1354 #if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x10100000L)
1355 /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only
1356 * with BoringSSL since the OpenSSL specific callback hack to
1357 * enable OCSP is not available with BoringSSL. The OCSP
1358 * implementation within libcurl is not sufficient for the
1359 * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL.
1360 */
1361 if (ctx->ocsp != NO_OCSP)
1362 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
1363 #endif /* OPENSSL_IS_BORINGSSL */
1364 #endif /* EAP_TLS_OPENSSL */
1365 } else {
1366 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1367 }
1368 if (client_cert && client_key) {
1369 curl_easy_setopt(curl, CURLOPT_SSLCERT, client_cert);
1370 curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key);
1371 }
1372 /* TODO: use curl_easy_getinfo() with CURLINFO_CERTINFO to fetch
1373 * information about the server certificate */
1374 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1375 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1376 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
1377 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_cb_write);
1378 curl_easy_setopt(curl, CURLOPT_WRITEDATA, ctx);
1379 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1380 if (username) {
1381 curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANYSAFE);
1382 curl_easy_setopt(curl, CURLOPT_USERNAME, username);
1383 curl_easy_setopt(curl, CURLOPT_PASSWORD, password);
1384 }
1385
1386 return curl;
1387 }
1388
1389
post_init_client(struct http_ctx * ctx,const char * address,const char * ca_fname,const char * username,const char * password,const char * client_cert,const char * client_key)1390 static int post_init_client(struct http_ctx *ctx, const char *address,
1391 const char *ca_fname, const char *username,
1392 const char *password, const char *client_cert,
1393 const char *client_key)
1394 {
1395 char *pos;
1396 int count;
1397
1398 clone_str(&ctx->svc_address, address);
1399 clone_str(&ctx->svc_ca_fname, ca_fname);
1400 clone_str(&ctx->svc_username, username);
1401 clone_str(&ctx->svc_password, password);
1402 clone_str(&ctx->svc_client_cert, client_cert);
1403 clone_str(&ctx->svc_client_key, client_key);
1404
1405 /*
1406 * Workaround for Apache "Hostname 'FOO' provided via SNI and hostname
1407 * 'foo' provided via HTTP are different.
1408 */
1409 for (count = 0, pos = ctx->svc_address; count < 3 && pos && *pos;
1410 pos++) {
1411 if (*pos == '/')
1412 count++;
1413 *pos = tolower(*pos);
1414 }
1415
1416 ctx->curl = setup_curl_post(ctx, ctx->svc_address, ca_fname, username,
1417 password, client_cert, client_key);
1418 if (ctx->curl == NULL)
1419 return -1;
1420
1421 return 0;
1422 }
1423
1424
soap_init_client(struct http_ctx * ctx,const char * address,const char * ca_fname,const char * username,const char * password,const char * client_cert,const char * client_key)1425 int soap_init_client(struct http_ctx *ctx, const char *address,
1426 const char *ca_fname, const char *username,
1427 const char *password, const char *client_cert,
1428 const char *client_key)
1429 {
1430 if (post_init_client(ctx, address, ca_fname, username, password,
1431 client_cert, client_key) < 0)
1432 return -1;
1433
1434 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr,
1435 "Content-Type: application/soap+xml");
1436 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "SOAPAction: ");
1437 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "Expect:");
1438 curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, ctx->curl_hdr);
1439
1440 return 0;
1441 }
1442
1443
soap_reinit_client(struct http_ctx * ctx)1444 int soap_reinit_client(struct http_ctx *ctx)
1445 {
1446 char *address = NULL;
1447 char *ca_fname = NULL;
1448 char *username = NULL;
1449 char *password = NULL;
1450 char *client_cert = NULL;
1451 char *client_key = NULL;
1452 int ret;
1453
1454 clear_curl(ctx);
1455
1456 clone_str(&address, ctx->svc_address);
1457 clone_str(&ca_fname, ctx->svc_ca_fname);
1458 clone_str(&username, ctx->svc_username);
1459 clone_str(&password, ctx->svc_password);
1460 clone_str(&client_cert, ctx->svc_client_cert);
1461 clone_str(&client_key, ctx->svc_client_key);
1462
1463 ret = soap_init_client(ctx, address, ca_fname, username, password,
1464 client_cert, client_key);
1465 os_free(address);
1466 os_free(ca_fname);
1467 str_clear_free(username);
1468 str_clear_free(password);
1469 os_free(client_cert);
1470 os_free(client_key);
1471 return ret;
1472 }
1473
1474
free_curl_buf(struct http_ctx * ctx)1475 static void free_curl_buf(struct http_ctx *ctx)
1476 {
1477 os_free(ctx->curl_buf);
1478 ctx->curl_buf = NULL;
1479 ctx->curl_buf_len = 0;
1480 }
1481
1482
soap_send_receive(struct http_ctx * ctx,xml_node_t * node)1483 xml_node_t * soap_send_receive(struct http_ctx *ctx, xml_node_t *node)
1484 {
1485 char *str;
1486 xml_node_t *envelope, *ret, *resp, *n;
1487 CURLcode res;
1488 long http = 0;
1489
1490 ctx->last_err = NULL;
1491
1492 wpa_printf(MSG_DEBUG, "SOAP: Sending message");
1493 envelope = soap_build_envelope(ctx->xml, node);
1494 str = xml_node_to_str(ctx->xml, envelope);
1495 xml_node_free(ctx->xml, envelope);
1496 wpa_printf(MSG_MSGDUMP, "SOAP[%s]", str);
1497
1498 curl_easy_setopt(ctx->curl, CURLOPT_POSTFIELDS, str);
1499 free_curl_buf(ctx);
1500
1501 res = curl_easy_perform(ctx->curl);
1502 if (res != CURLE_OK) {
1503 if (!ctx->last_err)
1504 ctx->last_err = curl_easy_strerror(res);
1505 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1506 ctx->last_err);
1507 os_free(str);
1508 free_curl_buf(ctx);
1509 return NULL;
1510 }
1511 os_free(str);
1512
1513 curl_easy_getinfo(ctx->curl, CURLINFO_RESPONSE_CODE, &http);
1514 wpa_printf(MSG_DEBUG, "SOAP: Server response code %ld", http);
1515 if (http != 200) {
1516 ctx->last_err = "HTTP download failed";
1517 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1518 free_curl_buf(ctx);
1519 return NULL;
1520 }
1521
1522 if (ctx->curl_buf == NULL)
1523 return NULL;
1524
1525 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ctx->curl_buf);
1526 resp = xml_node_from_buf(ctx->xml, ctx->curl_buf);
1527 free_curl_buf(ctx);
1528 if (resp == NULL) {
1529 wpa_printf(MSG_INFO, "Could not parse SOAP response");
1530 ctx->last_err = "Could not parse SOAP response";
1531 return NULL;
1532 }
1533
1534 ret = soap_get_body(ctx->xml, resp);
1535 if (ret == NULL) {
1536 wpa_printf(MSG_INFO, "Could not get SOAP body");
1537 ctx->last_err = "Could not get SOAP body";
1538 return NULL;
1539 }
1540
1541 wpa_printf(MSG_DEBUG, "SOAP body localname: '%s'",
1542 xml_node_get_localname(ctx->xml, ret));
1543 n = xml_node_copy(ctx->xml, ret);
1544 xml_node_free(ctx->xml, resp);
1545
1546 return n;
1547 }
1548
1549
http_init_ctx(void * upper_ctx,struct xml_node_ctx * xml_ctx)1550 struct http_ctx * http_init_ctx(void *upper_ctx, struct xml_node_ctx *xml_ctx)
1551 {
1552 struct http_ctx *ctx;
1553
1554 ctx = os_zalloc(sizeof(*ctx));
1555 if (ctx == NULL)
1556 return NULL;
1557 ctx->ctx = upper_ctx;
1558 ctx->xml = xml_ctx;
1559 ctx->ocsp = OPTIONAL_OCSP;
1560
1561 curl_global_init(CURL_GLOBAL_ALL);
1562
1563 return ctx;
1564 }
1565
1566
http_ocsp_set(struct http_ctx * ctx,int val)1567 void http_ocsp_set(struct http_ctx *ctx, int val)
1568 {
1569 if (val == 0)
1570 ctx->ocsp = NO_OCSP;
1571 else if (val == 1)
1572 ctx->ocsp = OPTIONAL_OCSP;
1573 if (val == 2)
1574 ctx->ocsp = MANDATORY_OCSP;
1575 }
1576
1577
http_deinit_ctx(struct http_ctx * ctx)1578 void http_deinit_ctx(struct http_ctx *ctx)
1579 {
1580 clear_curl(ctx);
1581 os_free(ctx->curl_buf);
1582 curl_global_cleanup();
1583
1584 os_free(ctx->svc_address);
1585 os_free(ctx->svc_ca_fname);
1586 str_clear_free(ctx->svc_username);
1587 str_clear_free(ctx->svc_password);
1588 os_free(ctx->svc_client_cert);
1589 os_free(ctx->svc_client_key);
1590
1591 os_free(ctx);
1592 }
1593
1594
http_download_file(struct http_ctx * ctx,const char * url,const char * fname,const char * ca_fname)1595 int http_download_file(struct http_ctx *ctx, const char *url,
1596 const char *fname, const char *ca_fname)
1597 {
1598 CURL *curl;
1599 FILE *f = NULL;
1600 CURLcode res;
1601 long http = 0;
1602 int ret = -1;
1603
1604 ctx->last_err = NULL;
1605 ctx->url = url;
1606
1607 wpa_printf(MSG_DEBUG, "curl: Download file from %s to %s (ca=%s)",
1608 url, fname, ca_fname);
1609 curl = curl_easy_init();
1610 if (curl == NULL)
1611 goto fail;
1612
1613 f = fopen(fname, "wb");
1614 if (!f)
1615 goto fail;
1616
1617 curl_easy_setopt(curl, CURLOPT_URL, url);
1618 if (ca_fname) {
1619 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1620 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1621 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1622 } else {
1623 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1624 }
1625 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1626 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
1627 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fwrite);
1628 curl_easy_setopt(curl, CURLOPT_WRITEDATA, f);
1629 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1630
1631 res = curl_easy_perform(curl);
1632 if (res != CURLE_OK) {
1633 if (!ctx->last_err)
1634 ctx->last_err = curl_easy_strerror(res);
1635 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1636 ctx->last_err);
1637 goto fail;
1638 }
1639
1640 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1641 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1642 if (http != 200) {
1643 ctx->last_err = "HTTP download failed";
1644 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1645 goto fail;
1646 }
1647
1648 ret = 0;
1649
1650 fail:
1651 ctx->url = NULL;
1652 if (curl)
1653 curl_easy_cleanup(curl);
1654 if (f)
1655 fclose(f);
1656
1657 return ret;
1658 }
1659
1660
http_post(struct http_ctx * ctx,const char * url,const char * data,const char * content_type,const char * ext_hdr,const char * ca_fname,const char * username,const char * password,const char * client_cert,const char * client_key,size_t * resp_len)1661 char * http_post(struct http_ctx *ctx, const char *url, const char *data,
1662 const char *content_type, const char *ext_hdr,
1663 const char *ca_fname,
1664 const char *username, const char *password,
1665 const char *client_cert, const char *client_key,
1666 size_t *resp_len)
1667 {
1668 long http = 0;
1669 CURLcode res;
1670 char *ret = NULL;
1671 CURL *curl;
1672 struct curl_slist *curl_hdr = NULL;
1673
1674 ctx->last_err = NULL;
1675 ctx->url = url;
1676 wpa_printf(MSG_DEBUG, "curl: HTTP POST to %s", url);
1677 curl = setup_curl_post(ctx, url, ca_fname, username, password,
1678 client_cert, client_key);
1679 if (curl == NULL)
1680 goto fail;
1681
1682 if (content_type) {
1683 char ct[200];
1684 snprintf(ct, sizeof(ct), "Content-Type: %s", content_type);
1685 curl_hdr = curl_slist_append(curl_hdr, ct);
1686 }
1687 if (ext_hdr)
1688 curl_hdr = curl_slist_append(curl_hdr, ext_hdr);
1689 curl_easy_setopt(curl, CURLOPT_HTTPHEADER, curl_hdr);
1690
1691 curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data);
1692 free_curl_buf(ctx);
1693
1694 res = curl_easy_perform(curl);
1695 if (res != CURLE_OK) {
1696 if (!ctx->last_err)
1697 ctx->last_err = curl_easy_strerror(res);
1698 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1699 ctx->last_err);
1700 goto fail;
1701 }
1702
1703 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1704 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1705 if (http != 200) {
1706 ctx->last_err = "HTTP POST failed";
1707 wpa_printf(MSG_INFO, "HTTP POST failed - code %ld", http);
1708 goto fail;
1709 }
1710
1711 if (ctx->curl_buf == NULL)
1712 goto fail;
1713
1714 ret = ctx->curl_buf;
1715 if (resp_len)
1716 *resp_len = ctx->curl_buf_len;
1717 ctx->curl_buf = NULL;
1718 ctx->curl_buf_len = 0;
1719
1720 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ret);
1721
1722 fail:
1723 free_curl_buf(ctx);
1724 ctx->url = NULL;
1725 return ret;
1726 }
1727
1728
http_set_cert_cb(struct http_ctx * ctx,int (* cb)(void * ctx,struct http_cert * cert),void * cb_ctx)1729 void http_set_cert_cb(struct http_ctx *ctx,
1730 int (*cb)(void *ctx, struct http_cert *cert),
1731 void *cb_ctx)
1732 {
1733 ctx->cert_cb = cb;
1734 ctx->cert_cb_ctx = cb_ctx;
1735 }
1736
1737
http_get_err(struct http_ctx * ctx)1738 const char * http_get_err(struct http_ctx *ctx)
1739 {
1740 return ctx->last_err;
1741 }
1742